[keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
Pedro Igor Silva
psilva at redhat.com
Thu Feb 19 08:46:22 EST 2015
----- Original Message -----
> From: "Raghu Prabhala" <prabhalar at yahoo.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "Keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Thursday, February 19, 2015 11:25:24 AM
> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
>
> Hi Pedro - Please see my comments inline.
> Thanks,Raghu
> From: Pedro Igor Silva <psilva at redhat.com>
> To: Raghu Prabhala <prabhalar at yahoo.com>
> Cc: Keycloak-user <keycloak-user at lists.jboss.org>
> Sent: Thursday, February 19, 2015 6:33 AM
> Subject: Re: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
>
> ----- Original Message -----
> > From: "Raghu Prabhala" <prabhalar at yahoo.com>
> > To: "Keycloak-user" <keycloak-user at lists.jboss.org>
> > Sent: Thursday, February 19, 2015 12:20:00 AM
> > Subject: [keycloak-user] SAML Broker in Keycloak 1.2 Snapshot
> >
> > Hi,
> >
> > I tested out the SAML broker functionality that is listed in the below
> > example
> > https://github.com/keycloak/keycloak/tree/master/examples/broker/saml-broker-authentication
> >
> > We have a very important use case that is similar to the above except that
> > the SAML Identity broker is ADFS and a few issues are preventing me from
> > testing it out:
> >
> > 1) The ADFS IDP requires that I upload the KC SAML broker information (SAML
> > metadata) which is not available currently. Perhaps I can generate my own
> > metadata using the above example but would prefer KC to provide one that is
> > similar to IDP metadata that is listed in the documentation.
>
> In this case you need a SPSSODescriptor, right ? I think we can easily
> implement an endpoint to retrieve SP metadata for SAML applications.
> [RAGHU] - Yes. SPSSODescriptor is what I am looking for. Great. Looking
> forward to see it near term.
> > 2) The ADFS IDP metadata has RoleDescriptor element that is not currently
> > being parsed by the KC SAML broker. I logged my issues in the JIRA
> > https://issues.jboss.org/browse/KEYCLOAK-883
>
> I've already fixed our parsers. However, the RoleDescriptor you have in that
> metadata are describing WS-Federation entities that will just be ignored.
>
>
> [RAGHU] - Great. Thanks Pedro. Unfortunately all the claims are described
> under RoleDescriptor - so I will have to build something to handle that.
> Any advice on where I should start?
A few questions ...
Can you give more details why you need to handle that ?
Your use case is about brokering the SAML Identity Provider described by a idp descriptor along your metadata, right ? Or are you trying to broker a STS ?
>
> > 3) The roles and other claims need to passed back to the client
> > applications
> > using OIDC (I am aware that Bill is making some functionality available
> > over
> > the next few days and hopefully it will address my requirement)
> >
> > Any suggestions on how I handle the first two?
> >
> > Thanks,
> > Raghu
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list